iPXE discussion forum / iPXE user forums / General v / Can't get Client certificates to work

Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Can't get Client certificates to work
2013-03-28, 11:51
Post: #9
Viator Offline
iPXE User
**
 		Posts: 10
Joined: 2013-Mar
Reputation: 0
RE: Can't get Client certificates to work
(2013-03-27 15:55)mcb30 Wrote:  I would suggest that you try recreating your configuration from scratch, following the instructions on http://ipxe.org/crypto verbatim as far as possible.

Hello Michael!

Thank you for your reply. I've been following the instructions.

I've changed the configuration. Now I've created a CA Certificate and 3 other Certificates, one for the server, one for the code signing and one for the client verification which I have signed using the CA. Please have a look at the end, I add the script I use.

In httpd.conf I use them this way:
Code:
SSLCACertificateFile /var/asys/ipxe/certs/ca.crt
    SSLCertificateFile /var/asys/ipxe/certs/server.crt
    SSLCertificateKeyFile /var/asys/ipxe/certs/server.key

https and codesigning works quite fine. Still no success with client verification and I run out if ideas.


apache errorlog shows:

Code:
Connection: Client IP: 192.168.11.131, Protocol: TLSv1.2, Cipher: AES256-SHA256 (256/256 bits)
ssl_engine_io.c(1897): OpenSSL: read 5/5 bytes from BIO#7f2750001340 [mem: 7f2750006c73] (BIO dump follows)
ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
ssl_engine_io.c(1869): | 0000: 17 03 03 00 90                                   .....            |
ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
ssl_engine_io.c(1897): OpenSSL: read 144/144 bytes from BIO#7f2750001340 [mem: 7f2750006c78] (BIO dump follows)
ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
ssl_engine_io.c(1869): | 0000: 5a e3 f2 d6 8b cf f2 67-58 fa 04 c7 82 b2 ff 02  Z......gX....... |
ssl_engine_io.c(1869): | 0010: 30 b2 52 6a 92 b9 2f b3-71 18 1f 94 73 ec a1 6e  0.Rj../.q...s..n |
ssl_engine_io.c(1869): | 0020: 40 c3 79 3b d6 18 7e 2c-10 9f c3 12 43 d5 5f e1  @.y;..~,....C._. |
ssl_engine_io.c(1869): | 0030: 09 da f0 0e 85 d8 2d 37-8e 4a 44 c5 aa dc 54 60  ......-7.JD...T` |
ssl_engine_io.c(1869): | 0040: 8f e7 fa 80 b7 6f 40 fc-59 95 04 f0 45 b3 2e 66  .....o@.Y...E..f |
ssl_engine_io.c(1869): | 0050: 5b 6f 52 eb 7b c3 8f 49-be d0 5b 8f 36 98 ef e1  [oR.{..I..[.6... |
ssl_engine_io.c(1869): | 0060: 86 ec 63 f4 95 e5 93 cd-85 59 61 7a df ee c8 25  ..c......Yaz...% |
ssl_engine_io.c(1869): | 0070: 02 b2 43 34 5e 74 41 1b-ea 56 29 ec d8 ab 68 cc  ..C4^tA..V)...h. |
ssl_engine_io.c(1869): | 0080: d9 e3 8b 47 76 e9 02 0b-ff df d7 13 9d 21 35 e6  ...Gv........!5. |
ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
Initial (No.1) HTTPS request received for child 1 (server 192.168.11.152:443)
ssl_engine_kernel.c(510): [client 192.168.11.131] Changed client verification type will force renegotiation
[client 192.168.11.131] Requesting connection re-negotiation
ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f2750001340 [mem: 7f2750006c73]
ssl_engine_kernel.c(764): [client 192.168.11.131] Performing full renegotiation: complete handshake protocol (client
ssl_engine_kernel.c(1866): OpenSSL: Handshake: start
ssl_engine_kernel.c(1884): OpenSSL: Write: SSL renegotiate ciphers
ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSL renegotiate ciphers
[client 192.168.11.131] Re-negotiation request failed
SSL Library Error: 336068946 error:14080152:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled

Here the script to create the sertificates:
Code:
#!/bin/bash

cd /var/asys/ipxe/certs

rm sslpass
echo secure2013 >> sslpass
echo secure2013 >> sslpass

echo
echo ============================================================================
echo
echo '                Creating CA Certificate'
echo
echo ============================================================================
echo

# CREATE ROOT Certificate
openssl req -x509 -newkey rsa:2048 -out ca.crt -keyout ca.key -days 3650 \
-subj "/C=AT/ST=Vienna/L=Vienna/O=asys/CN=secureBoot" \
-passin file:sslpass -passout file:sslpass

echo
echo ============================================================================
echo
echo '                    Creating SERVER Certificate'
echo
echo ============================================================================
echo

# CREATE Certificate
openssl req -newkey rsa:2048 -keyout server.key -out server.req \
-subj "/C=AT/ST=Vienna/L=Vienna/O=mycompany/CN=192.168.11.152" \
-passin file:sslpass -passout file:sslpass

# SIGN Certificate using CA Certificate
openssl ca -config ca.cnf -in server.req -out server.crt \
-passin file:sslpass -batch

echo
echo ============================================================================
echo
echo '                 Creating CODE SIGN Certificate'
echo
echo ============================================================================
echo

# CREATE Certificate
openssl req -newkey rsa:2048 -keyout codesign.key -out codesign.req \
-subj "/C=AT/ST=Vienna/L=Vienna/O=mycompany/CN=192.168.11.152" \
-passin file:sslpass -passout file:sslpass

# SIGN Certificate using CA Certificate
openssl ca -config ca.cnf -extensions codesigning -in codesign.req -out codesign.crt \
-passin file:sslpass -batch


echo
echo ============================================================================
echo
echo '                 Creating CLIENT Certificate'
echo
echo ============================================================================
echo

# CREATE Certificate
openssl req -newkey rsa:2048 -keyout client.key -out client.req \
-subj "/C=AT/ST=Vienna/L=Vienna/O=mycompany/CN=192.168.11.152" \
-passin file:sslpass -passout file:sslpass

# SIGN Certificate using CA Certificate
openssl ca -config ca.cnf -in client.req -out client.crt \
-passin file:sslpass -batch

echo
echo ============================================================================
echo
echo '                       Removing Passwords'
echo
echo ============================================================================
echo

cp ca.key ca.key.org
openssl rsa -in ca.key.org -out ca.key \
-passin file:sslpass

cp server.key server.key.org
openssl rsa -in server.key.org -out server.key \
-passin file:sslpass

cp client.key client.key.org
openssl rsa -in client.key.org -out client.key \
-passin file:sslpass

cp codesign.key codesign.key.org
openssl rsa -in codesign.key.org -out codesign.key \
-passin file:sslpass

echo
echo ============================================================================
echo
echo '                          Signing CODE'
echo
echo ============================================================================
echo

cd /var/asys/ipxe/certs

openssl cms -sign -binary -noattr -signer codesign.crt -inkey codesign.key -certfile ca.crt -outform DER \
    -in /var/asys/www/bootstrap.ipxe -out /var/asys/www/bootstrap.ipxe.sig

openssl cms -sign -binary -noattr -signer codesign.crt -inkey codesign.key -certfile ca.crt -outform DER \
    -in /var/asys/www/memdisk -out /var/asys/www/memdisk.sig

openssl cms -sign -binary -noattr -signer codesign.crt -inkey codesign.key -certfile ca.crt -outform DER \
    -in /var/asys/www/00\:0c\:29\:41\:d1\:da/loader.iso -out /var/asys/www/00\:0c\:29\:41\:d1\:da/loader.sig

echo
echo ============================================================================
echo
echo '                      MAKING undionly.kpxe'
echo
echo ============================================================================
echo

# UPDATE IPXE from GIT
# cd /var/ipxe
# git pull

# MAKE undionly
cd /usr/src/ipxe/src

# clear certificates
make bin/undionly.kpxe EMBED=/var/asys/ipxe/scripts/secureBoot.ipxe

# make using new certificates
#make bin/undionly.kpxe EMBED=/var/asys/ipxe/scripts/secureBoot.ipxe TRUST=/var/asys/ipxe/certs/ca.crt
make bin/undionly.kpxe EMBED=/var/asys/ipxe/scripts/secureBoot.ipxe TRUST=/var/asys/ipxe/certs/ca.crt CERT=/var/asys/ipxe/certs/client.crt PRIVKEY=/var/asys/ipxe/certs/client.key

cp bin/undionly.kpxe /var/asys/pxe/undionly.kpxe.0

echo
echo ============================================================================
echo
echo '                    RESTARTING webservices'
echo
echo ============================================================================
echo

/var/asys/restart.sh

And here my complete http.conf
Code:
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName 192.168.11.152:443

    DocumentRoot /var/asys/www

    SSLEngine on
    SSLOptions +StrictRequire

    SSLProtocol -all +TLSv1 +SSLv3
    SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

    SSLCACertificateFile /var/asys/ipxe/certs/ca.crt
    SSLCertificateFile /var/asys/ipxe/certs/server.crt
    SSLCertificateKeyFile /var/asys/ipxe/certs/server.key

    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
        
    <Directory /var/asys/www>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all

        SSLRequireSSL
        #SSLRequire
        SSLVerifyClient require
        SSLVerifyDepth 10
    </Directory>
    
    BrowserMatch "MSIE [2-5]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
        
        
    LogLevel debug
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

</VirtualHost>
</IfModule>
Find all posts by this user
Quote this message in a reply
Post Reply 


Messages In This Thread



User(s) browsing this thread: 1 Guest(s)

Contact Us | iPXE home page | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication